DNS Views

DNS Views

Snowdon View

Not often will you see people posting pictures like the one on the right in an article on DNS views. It is, however, a beautiful ‘view’ as well.

For many years, 3DN has been running its own DNS service. We decided in the past to use Power DNS because of its rock-solid support for multiple different back-ends. Fairly recently we got a secondary DNS server running on our POP in Vietnam. Due to the very versatile backend implementation of PDNS we were able to easily set up a MySQL slave of our PDNS backend in Vietnam.

However, one feature is duly missed in PDNS. There does not appear to be an easy way to set up DNS views. The authors of PDNS havhave elaborated on their design choice not to implement views. Their argument is “Adding views would complicate the nameserver in many ways. Please run two copies of PowerDNS, they are both free!”. PDNS is a wonderful, free, opensource product, so 3DN is not going to argue that point.

What are Views

Imagine a situation where you want different networks to be served different IP addresses when looking up a hostname. This situation can occur very easily, for example:

You want hosts in a LAN to get local addresses for resources that are both public and private.

You want to redirect spamlords to the bitbucket after you have identified them.

You want different countries to go to different webservers while maintaining the same URL.

The last situation is exactly what is our main reason at 3DN to want to implement views in PDNS. Vietnam at the present time, due mostly to its unique geography, is very dependent on suboceanic internet connections. The long-stretched country is bordered by a near-impenetrable mountain range on its west side. Throughout history this mountain range has very effectively kept intruders out, but in present time it’s also an obstacle for cable to be dug into the ground easily.

As a consequence, international internet connectivity is sometimes relatively slow. However, as Vietnam started its internet infrastructure relatively late, on a national level they have been able to use modern technologies and build an excellent local network with high speed available to many people. So we sat down and thought of a way to build a website that could easily be viewed rapidly from Vietnam and from the rest of the world.

IPTables

One difficulty with the suggested solution by the PDNS authors is that every DNS request from an outside network typically goes to UDP port 53. On a Linux server, well actually on any server, only one application can be listening to a specific UDP port. So ‘Please run two copies of PowerDNS’ is not a very trivial suggestion.

On Linux however, using the iptables functionality in the kernel, it is however easy to take an incoming IP packet, check its source IP-address and forward the packet to another UDP port if it’s coming from a network we want to give a different DNS reply.

This is the approach we will take at 3DN to create multiple views but still use PDNS. Currently we’re working on this functionality in combination with our systool which will make it easy to manage the iptables rules and the several PDNS backends. Please come back frequently if this is a solution you enjoy reading more about.